I give 99% that fix of Curve25519 is safe, but the rest 1% doesn't let me to use the fix coz this part is the most critical part of Nxt. So without a formal proof I'll stick to loop inside Crypto.sign.
Last one from me:
There's nothing to prove, math stays the same, it's the implementation that's wrong not the math,.
All the math is already in the file in the comments, those comments were made by this "xmath" dude from sci.crypt (I assume this is Matthijs van Duin).
But ok, I can understand, that you're afraid of such change.
if ((v[31] & 0x80) != 0)
{
mula_small(v, v , 0, ORDER, 32, 1);
}
Don't do this. The time required to run the code should NEVER depend on input data. This makes timing attacks possible (depending how to the methods are used).
If this is fixed it should be incorporated into main client.